Create firewall rules by script
Hi to all,
I saw previous topic but I would like to know if with new version I can add rules from external application.
I woluld like to create a firewall rules that my SIEM known like an attack.
Can I do that?
Wouldn't you be better installing something like Snort or Suricata and sign up to a paid subscription?
i have an IDS/IPS system but I wuold like to do this by SIEM and PFsense if it possible.
To dynamically add / remove rules to the firewall you need to use anchors
PFSense has several anchors for this purpose
For example, the anchor "userrules"
# User-defined rules follow anchor "userrules/*"
According to this principle, a bunch of Fail2ban+Packet Filter works
root@fr:/usr/local/etc/fail2ban # pfctl -a f2b/SSH -sr block drop log quick proto tcp from <f2b-SSH> to any port = ssh root@fr:/usr/local/etc/fail2ban # pfctl -a f2b/SSH -t f2b-SSH -Ts 126.96.36.199 root@fr:/usr/local/etc/fail2ban #
There is no API for this (yet), though there is the
easyrulescript which may not help directly, but you could copy its code to potentially setup something.
Having an IDS inject rules is a fine idea in general, though. We have demonstrated this working in TNSR using its API combined with ERSPAN to feed packets to the IDS: https://github.com/Netgate/TNSR_IDS/